- From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
- Date: Thu, 22 Jan 2009 19:46:44 -0600
- To: Adam Barth <w3c@adambarth.com>
- CC: "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Adam Barth wrote: > On Thu, Jan 22, 2009 at 3:07 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >> 1) CSRF is not a security issue for the Web. A well-designed Web >> service should be capable of receiving requests directed by any host, >> by design, with appropriate authentication where needed. > > Many Web sites contains CSRF vulnerabilities and find it difficult to > engineer CSRF defenses. The goal of the Origin header is to make it > easier for these sites to defend themselves against CSRF attacks. For > example, a site can use the header to defend itself against CSRF using > a simple Web application firewall. Does a protocol which provides for inherent spoofing methods actually add value to the design of the application, or simply provide another security check box which authors can apply to simply be routed about in the very next request. If you really wanted to solve this programmaticly, you would add a specific hash or noonce to identify the origin to itself... oh wait, nevermind, that's digest authentication. Bill
Received on Friday, 23 January 2009 01:47:25 UTC